Hi,
With emergence of ASP.Net MVC, Many Web developers put forward ideas and discuss about the future of Web Forms. There is a nice podcast there on Joe’s blog interviewing Scott Hunter, Senior Program Manager Lead on the ASP.NET Team. In this podcast, Joe & Scott talk about future of Web Forms and compare it to ASP.Net MVC.
Don’t miss this podcast!Episode #1 – Scott Hunter on the future of ASP.NET Development with Web Forms

Keeping sensitive data in database has always been one of the most challenging tasks which needs deep understanding of system planning and security issues that might affect the reliability of the system. Mainly, you may implement one of the following ways to keep passwords in database:

1 – Storing Passwords as Clear-Text/Plain-Text:

This option is the most insecure way of storing passwords in DB, because each password is kept as clear text without any kind of encryption/hashing algorithms used. The disadvantage of putting this into work is that anyone with access to your database will be able to read passwords and modify them. This imposes a great potential risk on your system and is not recommended in any scenario.

2 – Using Encryption Algorithms

This is a more secure approach that may be taken into account. In this way, you may implement one of the Asymmetric/Symmetric algorithms to encrypt/decrypt the data. In asymmetric algorithms, the key which is used to encrypt data differs from that of decrypting; there is a public key which enables you to encrypt password and a private key allowing you to decrypt it. In contrast with Asymmetric algorithms, Symmetric algorithms use a single key for encrypting/decrypting data. Intending to implement this method, use a unique public/private key for each user. Consequently if attacker obtains the private/public key of a user, it will not be usable for other users. This algorithm is mostly common in scenarios which need password retrieval system, meaning that passwords can be recovered. So if password retrieval is not a part of your system planning, this method is not recommended.

3 – Hashing Passwords

This technique is a one-way solution and makes it more secure. A “Hash Function” gets a value of variable length and produces an output with constant length. For instance, SHA256 algorithm gets the input value and generates a 256 bits output. Note that hashes of two sets of data are identical if and only if the corresponding data matches and any minor change in data causes the hash value to change dramatically, so this is a cool method when comparing large amount of data. Password recovery is also not possible when implementing this solution. When using hash functions to store scrambled data, keep in mind that if two users have the same password . the hash output will be identical and this is considered as a great vulnerability. To prevent this, you may use “Salted-Hash technique”, it means that you should add some additional data to your password and then compute the hash of new generated data. For example you may append username to the password and then hash the whole string. Consequently when authenticating users, you must first append username to entered password, hash it and then comparing it with the hash value stored in database. For more security you can generate a random salt for each user and store it in database.

In spite of implementing salted hash, passwords are still stored on hard disk and are prone to be cracked. So a better approach is required here. In contrast with static passwords, one-time passwords are changed each time a user logs on to the system and usually users should carry a small hardware used for synchronizing with server. Mainly there are two types of OTP:

Time-Synchronized: In this method, user should enter a password in a given period of time, otherwise it will be expired and a new password is generated. Of course this method may lead to clock-skew problem, it means that if the authentication server and the user token don’t keep the same time, authentication process will fail.

Counter-Synchronized: A counter is synchronized between server and user client and each time the device requests an OTP value, the counter is advanced. Like the previous solution, when user wants to logs on, he enters the password shown on the device.

The issues that mentioned in this article are just a few tips that should be considered in order to provide a secure system and the given recommendations are all dependant upon system requirements and scenario.

Today , I’m going to elaborate on a great feature called System.Security.SecureString class which was introduced in .Net Framework 2.0. This class provides you with a secure way to store sensitive data and prevent them from being revealed by hackers. Implementing standard System.String class is not a secure way for keeping sensitive information and also swap file is in danger of being disclosed. Let’s take a look at some disadvantages of putting System.String class into work :

As it’s not encrypted , anyone with access to swap file or process memory is able to read unencrypted data easily.

When modifying this class , old value is not removed from the memory , so both old and new versions are kept in memory.

There is not a certain way to dispose it from memory when finishing with it.

SecureString class uses DAPI to encrypt data. Information ecrypted in this way by CLR is only decrypted when accessing it and in contrast with standard System.String class , this class implements IDisposable interface so that it can be cleared out from memory and its allocated memory will be zeroed out when disposing it.

Now , let’s see an example :
using System.Security;
using System.Runtime.InteropServices;
using System;
using System.Windows.Forms;

Sometimes , you may use an assembly that is not strong-named and also the source code is not available. How do you make an strong assembly out of that? ILMerge Tool allows you to sign/resign an assembly with a specified .snk file. Consider having a weak assembly called “Weak.dll” , you can create a strong-named assembly out of that as shown below :
ilmerge Weak.dll /keyfile:key.snk /out:Strong.dll

Being a C# programmer , you’ve used to leverage propcode snippet to create a property . C# 3.0 provides you with a nice feature called “Automatic Properties” which enables you to avoid having to declare private accessor field for properties and write get/set logic , this will make your code more concise and legible . However , you can still create regular properties and change get/set logic.

T-SQL ‘Bulk Insert’ statement lets you load CSV or any other user-specified file formats into table/view . In a CSV file , each field is seperated by a Comma and each line represents a record. Now , open notepad and create a CSV file named ‘test.csv’ with the following content :

RedGate ANTS Profiler is a great tool which enables you to identify bottlenecks in your code and optimize memory usage , It also profiles how long each line of code takes to be executed(line-level timing) and reports the slowest lines of code and procedures. In addition , It Integrates into Visual Studio with context sensitivity.